Uber confirmed on 15th September 2022 that they’ve been hacked. Multi Factor Authentication fatigue provided the malicious actors, internal access to a PowerShell script that had hardcoded administrator credentials saved in it. With that, they could gain access to several internal resources such as OneLogin password manager, GSuite, Duo and many more. Eight days later, on September 23rd, there was a headline in all news agencies about Optus, the second largest mobile operator in Australia. A massive data breach! “Optus fears data on up to 9.8 million of its customers has been accessed” including customer account details, drivers number, passport details, and 14,900 valid card numbers that have been exposed. The latest report from the Office of the Australian Information Commissioner (OAIC) shows from July 2021 to December 2021, 464 notifications of data breach was received, equal to 6% increase on numbers in comparison to previous reported period. This report suggests that in 80% of the cases, it took up to 30 days for the entities to identify a breach occurred, where in 4% of cases the time to identify the breach was up to a year! The source of data breach in over half of these incidents was malicious or criminal attacks, where 41% were related to human error.
Cyber attacks and specifically data breach can damage brands in many ways. Financial impacts, loss of customer trust in brand, legal and regulatory actions, insurance premium surge and loss of competitor advantage are among the impacts data breaches can have on brands. In the following section we review these impacts.
Financial Impacts:
Cybercrime an estimated $42 billion cost to Australian economy
Source: UNSW
In Australia the cost is $3.35 million per breach, an increase of 9.8% year on year. This amount is about $2 million less than the global average of $5.39 million (about US$ 3.86 million) in 2020. This breaks down to $163 per lost or stolen record, according to IBM Security’s 2020 edition of the Cost of a Data Breach Report.
Source: IBM Costs of a Data Breach Report
Customer Impacts:
Are above-mentioned the only financial costs occurred as a result of data breaches? According to a study by PwC, only 25% of consumers surveyed thought companies would handle their data responsibly. And 87% of consumers will not use a business if they feel that the business is not handling their data properly. When that trust is gone, in most cases, its gone for good! Another study done by IDC suggests, 80% of small businesses have experienced downtime and/or data loss at some point in the past, with costs ranging from $82,200 to $256,000 for a single event. What does this mean for IT? Every minute counts in a data recovery scenario – to the tune of $137 to $427 per minute.
Fines, Legal and Regulatory Impacts:
Legal and regulatory liabilities are another line item in cost calculations for the data breaches and its impact on brands. For instance, Payment Card Industry Data Security Standard (PCI DSS) requires that any company processing, storing, or maintaining credit card information does so in a secure environment. Failure to take appropriate safeguards can cost you in the form of fines and possibly even cause you to lose your merchant account.
In Australia under Notifiable Data Breach Scheme, organizations have up to 30 days to assess the extent and report any data breach to the Office of the Australia Information Commissioner if a data breach is likely to cause you serious harm.
Examples of serious harm include:
- identity theft, which can affect your finances and credit report
- financial loss through fraud
- a likely risk of physical harm, such as by an abusive ex-partner
- serious psychological harm
- serious harm to an individual’s reputation
There has been an amendment to this privacy act that will Increase penalties for all entities covered by the Act, including social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10% of a company’s annual domestic turnover – whichever is the greater. This new amendment provides the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches.
Cyber Insurance Premium Impacts:
Lastly, Cyber insurance premium increases if a data breach occurred/reported. Of course, this can vary between different insurance providers, but what is evident is the greater the cyber threat exposure, the greater the associated cyber insurance costs to justify coverage.
Recommendation:
To avoid or minimize such impacts on organization’s brand, it is crucial to have a frequent assessment regime in place to identify internal and external cyber threats and have a clear understanding of their likelihood. Deployment of security controls by itself does not guarantee the protection against data breaches. It’s a complete people, process and technology matter that helps organizations in their cyber protection journey. While most companies are consciously investing on their internal attack vectors and security controls, it is as important, if not of a higher importance, to identify those external risks and manage them. External threats are those that are impacting any externally facing assets. They can include:
- Any currently compromised credentials that can be easily used by attackers
- Digital Certificate’s trust chain that may have been broken
- Exposed vulnerable Application Programming Interfaces (APIs), internal applications or cloud storages
- Domains’ and subdomains’ vulnerabilities in addition to any external open ports, such as FTP, SMTP, RDP or SSH
It is also important to have threat intelligence capabilities in place to identify any impersonating threat actor(s) and have a visibility across dark web for any mentioned of the brand or key personnel.
Organisations must be vigilant in the wake of the Optus breach.
If you would like to know how CyberDNA can help, please contact us here.